Skip to content

Feature: per-OAuth-app option to ignore/override prompt=login #9126

Description

@zmolly

Summary

When Clerk is used as an OIDC Identity Provider (via OAuth Applications), the /oauth/authorize endpoint strictly honors prompt=login — always showing the sign-in form even when the user has an active session. We need a per-OAuth-app configuration to override this, allowing silent authentication when a valid session exists.

Context

We use Clerk as the external IdP for Shopify's new customer accounts (Plus store, headless Hydrogen storefront). The architecture:

  • Storefront (avnzor.com): users sign in via Clerk's embedded <SignIn> component
  • Checkout/Account (account.avnzor.com): Shopify's customer account system, configured with Clerk as the OIDC IdP
  • Clerk OAuth app: confidential client, consent screen disabled, scopes openid email profile offline_access

The problem: Shopify always sends prompt=login to Clerk's authorize endpoint. This forces a full re-authentication even when the user just signed in on the storefront seconds ago — creating a double sign-in experience.

What we've verified

Test Result
Clerk FAPI session propagates to Account Portal accounts.avnzor.com/user shows profile
prompt=none silently issues auth code ✅ Code issued, no UI, session survives
prompt=login with active session ❌ Full sign-in form shown (per OIDC spec)
prompt=login kills the storefront session ❌ Session survives (not the issue)

Request

Add a per-OAuth-application setting (e.g., on the OAuth app object or via PATCH /oauth_applications/{id}) that controls how prompt=login is handled. Something like:

{
  "prompt_override": "auto"
}

Where:

  • "strict" (default): honor prompt=login per OIDC spec (current behavior)
  • "auto": if the user has an active session, treat prompt=login as prompt=none (skip re-authentication); only show the sign-in form if no session exists
  • "none": always attempt silent auth, return login_required error if no session

This would allow IdP integrations with platforms like Shopify (which hardcode prompt=login) to work seamlessly without double sign-in.

Alternative: paths.sign_in with absolute URLs

We attempted to use the instance paths.sign_in config to redirect the OAuth sign-in flow to our own page (where we'd intercept and rewrite the prompt). However, paths.sign_in only accepts relative paths — it cannot redirect to an external domain. Supporting absolute URLs there would also solve this use case, though the per-app prompt override is cleaner.

Environment

  • Clerk production instance (clerk-js v6)
  • FAPI domain: clerk.avnzor.com
  • Account Portal: accounts.avnzor.com
  • OAuth app client_id: o2eCeS5qgWCbLCIr
  • Clerk CLI v2.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions